'Bizarre' Google stops WebView patching on older Androids

News by Doug Drinkwater

Google today ended support for patching the WebView tool that is used on Android 4.3 Jelly Bean and earlier versions of the operating system.

WebView is the component used to render web pages on an Android device but was replaced on Android 4.4 KitKat – the second latest iteration of the Linux-based mobile operating system – with an updated Chromium-based version of the tool that is also used in the Chrome web browser.

But today Google's Android security team quietly announced that it will no longer provide security patches for vulnerabilities reported to affect versions of WebView running on Android devices running Android 4.3 or an older version.

As a result, only devices running KitKit 4.4 and Lollipop 5.0 will receive security patches for WebView from Google – with the rest remaining unpatched or relying on fixes from third parties. Google has said, however, that it would send third-party patches to handset makers if a fix was incorporated into the Android Open Source Project code.

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” a Google spokesman said on the blog post of Rapid 7, whose engineering manager Tod Beardsley first noticed the change.

“Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch."

The change will affect millions of Android users; the most recent Android distribution figures reveal that Jelly Bean – which has three separate major versions (4.1, 4.2 and 4.3) - remains the most popular version accounting for approximately 45 percent of all users. At last year's Google I/O developer conference, the company revealed it had activated 900 million Android devices.

“Google's engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning,” said Beardsley in the blog post.

“As a software developer, I know that supporting old versions of my software is a huge hassle. I empathise with their decision to cut legacy software loose. However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives. In that light, I'm hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.”

Chris Boyd, malware intelligence analyst at Malwarebytes, said in an email to SCMagazineUK.com:  “Despite the potential risk of exploits and drive-by attacks, the most likely method of attack where Android is concerned is still fake / rogue application installs - typically by sites asking the device owner to allow installs from "unknown sources.” 

“If they avoid sites offering up free versions of popular apps and games and always read the reviews on the Play store then most people will be as safe as they can be, given this new approach to updates. It is unusual to expect researchers who discover vulnerabilities to provide their own patch alongside it, hoping the Android team may include it at a later date - and it remains to be seen if this approach will be a success.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews